Security Insights - 19th May 2025

Here’s our look at significant cybersecurity research, incidents, and policy changes from the past week

Unsafe Dependencies - Two Poisoned Packages, Two Playbooks

os-info-checker-es6 – Unicode steganography meets Google Calendar C2

First posted to npm on 19 Mar 2025, os-info-checker-es6 looked like a harmless OS-info utility. Two days later, new versions swapped plain JS for compiled .node loaders that decode invisible Unicode variation selectors, extract Base64, and run it. Version 1.0.8 then fetched its real payload via a Google Calendar short link, adding retries and a lock file for persistence. Using a trusted service like Google Calendar helps the attack avoid detection and makes early blocking harder. Veracode

solana-token on PyPI

ReversingLabs found this imposter library exfiltrating blockchain developers’ source code to a fixed IP. It was downloaded 761 times before removal.

Artificial Intelligence - Faster Offence, Louder Alerts

The UK NCSC warns that by 2027, AI will make attackers significantly faster and more effective, outpacing defenses. This is worsened by organisations deploying AI without vital security guardrails, almost certainly heightening the frequency and impact of cyber threats.

Darktrace says nearly four in five CISOs already see AI in phishing or malware, yet half feel underprepared.

At the same time, the FBI has issued a PSA about deep‑fake voice calls impersonating senior US officials.

Automation now works for both sides, so response loops must tighten.

APT Focus - Earth Ammit and the Drone Supply Chain

Trend Micro links a Chinese‑speaking group to attacks on ERP systems that feed drone manufacturers in Taiwan and South Korea, delivering backdoors VENOM and TIDRONE. [Trend Micro research]

The Foundation for Defense of Democracies (FDD) research institute, focusing on national security and foreign policy, uncovered cloned consulting sites targeting recently laid‑off US federal staff for potential intelligence gathering. [FDD memo]

Insider and Infrastructure Shockwaves

• Nucor Steel shut several mills after an intrusion reached core servers. [SEC 8-K]
• Coinbase reported that overseas support contractors leaked customer data and demanded a 20 million USD ransom; Coinbase refused and offered a matching bounty. [Coinbase disclosure]
• DoorDash lost 2.59 million USD when insiders marked phantom deliveries complete. The insiders used customer accounts to place high-value orders and an employee’s credential to gain access to DoorDash software and manually reassign the orders to driver accounts they controlled [US DOJ indictment]

These incidents span heavy industry, fintech, and gig platforms, yet they share a lesson: least privilege and constant audit are cheaper than public disclosures.

Hardware Under Fire - Branch Privilege Injection

ETH Zürich researchers disclosed Branch Privilege Injection, a speculative‑execution flaw that leaks memory across privilege boundaries on every Intel CPU since 2018. Firmware fixes are rolling out now. [ETH Zürich announcement]

Policy Moves - NHS Cyber Security Charter

To curb ransomware in healthcare, NHS England asks tech suppliers to sign a voluntary charter committing to MFA, immutable backups, and 24/7 monitoring. [NHS letter]

Compartmentalised Kill Chains and a Smarter Diamond Model

Sophisticated campaigns rarely belong to one crew. Cisco Talos discusses how Initial Access Brokers, ransomware affiliates, and infrastructure sellers now operate like subcontractors. Their proposed Relationship Layer for the Diamond Model tracks who hands what to whom, avoiding false attribution.

The ToyMaker -> Cactus collaboration proves the value of that extra context. Graph thinking showing who sold access and who used it. Attacker-centric (or adversary-centric) models are a key theme here. Talos research

Closing Thoughts

Attackers are working smarter together. AI continues to be a big factor for everyone. Our trust in code and partners is also often a weak link. The takeaway: always check your software, your suppliers, and who has access.